Risk Management Monitorhttp://www.riskmanagementmonitor.com
The Risk Management BlogFri, 16 Mar 2018 18:20:53 +0000en-UShourly1https://wordpress.org/?v=4.9.3RiskManagementMonitorhttps://feedburner.google.comQ&A: Cape Town’s ‘Day Zero’http://feedproxy.google.com/~r/RiskManagementMonitor/~3/PKgULm2ZWJM/
http://www.riskmanagementmonitor.com/qa-cape-towns-day-zero/#respondThu, 15 Mar 2018 13:01:43 +0000http://www.riskmanagementmonitor.com/?p=20259Continue reading →]]>On March 22, annual World Water Day will be especially relevant, as the United Nations and its co-sponsors hope to raise global awareness of water risks—particularly in Cape Town, South Africa. As we previously reported, a diminishing water supply is that city’s top priority, as it is counting down to a possible “Day Zero” (which had been set for July 9, but the City has stopped providing a date), when it could effectively become the first major city to run dry.

One of World Water Day’s partners is World Wide Fund For Nature South Africa (WWF-SA), an arm of what was formerly known as the World Wildlife Fund. Christine Colvin, senior manager of Freshwater for WWF-SA, recently discussed Cape Town’s struggles and how other major cities and businesses can learn from the preparedness plan and efforts to avoid a total drought.

Risk Management Monitor: Cape Town, which has 4 million residents, has a preparedness plan in effect that includes rationing among 200 water distribution points for 25 liters per person. Do you feel this plan is sustainable?

Christine Colvin: At this stage, the general consensus is that Day Zero is not as imminent a threat as it was earlier in the year, and in all likelihood, there will be some rain and augmentation schemes will start to come online before dams drop to the critical 13.5% (which would activate the disaster plan). Consequently, the major

push is to encourage citizens to stay within their current daily limit of 50 liters of water per person, per day to see us through to the rainy season and beyond. If we are able to achieve this objective, the hope is that we should push out Day Zero as far as possible, thus buying the city time to bring on augmentation schemes.

RMM: How could Cape Town officials explore nature-based solutions (this year’s World Water Day campaign) to its water challenges?

Colvin: Ecological infrastructure is the foundation of water security and the first link in the water value chain. If our catchments are healthy and functional they deliver better quality, more reliable yields of water into our dams and aquifers. If they are invaded with alien vegetation or degraded by over-grazing or over-burning then they yield less water and more silt that will eventually destroy any downstream infrastructure we build to deliver water to our homes and farms. WWF-SA actively advocates the protection of water source areas through, among other things, water stewardship and catchment clearance of alien vegetation and has actively communicated this approach to the City of Cape Town during this drought period.

In our communications to the general public, we also encourage better stewardship of existing natural water sources such as groundwater and rivers, and promoting a water-wise culture. Our stewardship work in the Western Cape, the province in which Cape Town is located, focuses strongly on the agricultural sector which is a key industry for the region.

RMM: What steps can a major city take to prepare for a drought?

Colvin: Our Wednesday Water File on international case studies highlights many pertinent actions, perhaps best summarized in the Australian example:

Invest in fixing leaking infrastructure—one of the most cost-effective measures to improve water supplies

Introduce a demand management program which includes strict new legal requirements on business and domestic water use, coupled with a major education campaign

Diversify water supplies so if one source fails others can be drawn on, among them: dams, desalination, recycled water, rainwater tanks, groundwater, and storm water harvesting

Create a water grid which links major regional water supplies so water can be moved to where it is needed

RMM: How is World Water Day raising awareness to the situation in Cape Town?

Colvin: While water is top of mind in Cape Town, the intention is to remind all South Africans that we live in a water-stressed country and the protection of strategic Water Source Areas and their natural capital is a national project. Water source areas are particularly important—making up 8% of South Africa’s land area but delivering 50% of our river flow to the rest of the country. Good management of these high rainfall mountainous headwater areas delivers a high return on investment downstream.

World Water Day is an important time to reflect on the relationship between water and nature. Many, but not all, residents of Cape Town are now aware of the “new normal” in which we are likely to experience much drier periods and have to conserve water but it remains vital to reinforce the message that water does not come from a tap—it comes from nature.

]]>http://www.riskmanagementmonitor.com/qa-cape-towns-day-zero/feed/0http://www.riskmanagementmonitor.com/qa-cape-towns-day-zero/2 Fertility Clinic Failures a ‘Bad Coincidence’http://feedproxy.google.com/~r/RiskManagementMonitor/~3/s2cBReZOtMM/
http://www.riskmanagementmonitor.com/2-fertility-clinic-failures-a-bad-coincidence/#respondTue, 13 Mar 2018 19:24:16 +0000http://www.riskmanagementmonitor.com/?p=20251Continue reading →]]>Equipment failures on the same day at two fertility clinics located across the country from each other—in California and Ohio—may have damaged or destroyed thousands of frozen eggs and embryos. The simultaneous “black swan events” appear to have no connection to each other and have experts mystified.

Dr. Carl Herbert, president of the Pacific Fertility Clinic in San Francisco, told ABC News in an interview released Monday that a senior embryologist noticed the nitrogen level in one tank was very low during a routine check of the tanks on March 4. The embryologist, he said, “immediately rectified” the problem by refilling the tank. The embryos were later transferred to a new tank.

Dr. Kevin Doody, lab director at the Center for Assisted Reproduction in Texas and past president of the Society for Assisted Reproductive Technology, told The Associated Press that the nearly simultaneous storage failures are “beyond stunning” but appear to be “just a bad, bad, bad coincidence.”

The Washington Post reported that the services of fertility clinics — and therefore egg- and embryo-freezing — have become increasingly popular in the U.S.

The number of egg-freezing patients jumped from 475 in 2009 to 7,518 in 2015, the most recent year for which figures are available from the Society for Assisted Reproductive Technology. In total, about 20,000 American women have had their eggs preserved.

According to the clinic’s website, its fees for egg freezing are $8,345 for the initial cycle and $6,995 for each subsequent round. Herbert said, for patients still eager to use their eggs or embryos to try to become pregnant, the physicians and other staff will first thaw them to find out whether they are viable. If they are not, he said, “we are going to make our patients happy one way or another.”

Meanwhile, a Pennsylvania couple and an Ohio couple that lost embryos have filed a class action lawsuit against the Cleveland hospital where officials estimate about 2,000 frozen eggs and embryos may have been damaged.

As for risk management of such facilities, Doody noted that the industry in the long run will end up being safer because there will be investigations and other facilities will examine their own backup measures and alarm systems.

]]>http://www.riskmanagementmonitor.com/2-fertility-clinic-failures-a-bad-coincidence/feed/0http://www.riskmanagementmonitor.com/2-fertility-clinic-failures-a-bad-coincidence/Copycat Threats Escalate After Fla. School Shootinghttp://feedproxy.google.com/~r/RiskManagementMonitor/~3/QVy_wwedRJw/
http://www.riskmanagementmonitor.com/copycat-threats-escalate-after-fla-school-shooting/#respondFri, 09 Mar 2018 18:01:23 +0000http://www.riskmanagementmonitor.com/?p=20231Continue reading →]]>Numbers of bomb threats and false alarms following the deadly Feb. 14 shooting at the Marjory Stoneman Douglas High School in Parkland, Florida have jumped, causing fear and panic across the U.S. and creating havoc for school personnel and law enforcement.

The threats are mostly carried out by students too young to realize the repercussion of their comments—which most often are posted on social media sites.

The sharp rise in false alarms, from 10 to about 70 a day, has left school administrators and authorities with the precarious job of determining the threat’s credibility. Worried parents often fear sending their children to school.

Every school day in the week after Feb. 14, the day of the attack at the Florida high school, at least 50 threats or violent incidents at schools were reported across the country, according to the Educator’s School Safety Network, an advocacy organization that has tracked news reports of threats and violence since 2016. Normally, the group records an average of 10 to 12 incidents a day. The group’s count includes many incidents that turn out to be false alarms or hoaxes.

Since the shooting, Texas has had the most threats, with 55 reports, followed by Ohio, California, Florida and Pennsylvania, according to data from the Educator’s School Safety Network, which tracks such incidents and also trains schools on how to handle them. Because of the threats, at least 33 schools closed and more than 15 others were locked down, according to the USA Today Network.

The threats have sparked a legal debate over what penalties kids should face. Authorities have yet to determine, however, how to deal with such threats, as an arrest could jeopardize a student’s future.

These types of threats are not new. Following the massacre at Columbine High School in 1999, hundreds of threats were sent to schools across the country, leading to more than 350 arrests. USA Today notes that even with jail as a penalty, threats have been widespread for decades and are not letting up.

]]>http://www.riskmanagementmonitor.com/copycat-threats-escalate-after-fla-school-shooting/feed/0http://www.riskmanagementmonitor.com/copycat-threats-escalate-after-fla-school-shooting/Cape Town’s Water Shortage Approaching ‘Day Zero’http://feedproxy.google.com/~r/RiskManagementMonitor/~3/I0y-U3WhY54/
http://www.riskmanagementmonitor.com/cape-town-water-shortage-approaching-day-zero/#respondTue, 06 Mar 2018 17:56:10 +0000http://www.riskmanagementmonitor.com/?p=20222Continue reading →]]>Risk Management magazine recently covered the World Economic Forum’s (WEF) 2018 Global Risks Report, in which environmental and technological risks dominate the worldwide threat landscape. The WEF ranked water crises as the fifth-highest risk based on impact, downgraded from the number one spot in 2015. But a diminishing water supply is certainly the top priority in Cape Town, South Africa, which is counting down to an increasingly imminent “Day Zero,” when it will effectively become the first major city to run dry.

In preparation for “Day Zero,” which is predicted to occur on July 9 (although it has been rescheduled several times), officials advised Cape Town’s 4 million residents to limit water use to 50 liters (13.2 gallons) per person per day, hoping to stretch the supply as far possible. Here’s how the Day Zero date has been calculated:

While assessing its own water supply risks, the Philly Voice equated that amount of water to “…a 90-second shower, two brushings of the teeth, one toilet flush, one cooked meal, a sink-full to wash dishes and a half-gallon of drinking water.”

Cape Town also has tariffs to help finance water and sanitation services and drive down demand of this basic human need. Nevertheless, the dams that supply most of the city’s water are only at 25% capacity as water usage reportedly remains well above targets. Once the dams reach 13.5% capacity, Cape Town intends to shut off the municipal water supply to all but essential services (like hospitals). Residents will then be allowed a daily 25-liter (6.6 gallon) water ration that they must collect from one of 200 water stations, which will be overseen by armed guards.

Researchers from Stellenbosch University, located in the Western Cape province of South Africa provided a thorough evaluation of the preparedness plan’s feasibility, particularly during the post-Day Zero period. Taking a risk management approach of assuming no additional supply until the next rainy season, they called for strategies that either double the number of distribution points or increase the number of taps and water pressure at each of the 200 points:

“But even these strategies won’t help if Cape Town doesn’t address the reality of conflict and related delays. These are unpredictable and incalculable. They are also the greatest indication for why Day Zero should be avoided at all costs.”

As Risk Management Monitor reported in 2016, “the world’s largest underground water reserves in Africa, Eurasia and the Americas are under stress, with many of them being drawn down at unsustainable rates. Nearly two billion people rely on groundwater that is considered under threat.”

Water Foundry Founder and CEO Will Sarni recently offered a six-step strategy that other cities can take to avoid future Day Zeroes; the plan calls for the combined efforts of private sector leaders and public sector authorities:

“In building a solution, we call for a greater role for market forces balanced with regulatory oversight. In particular, the private sector has an essential role to play in devising technology and infrastructure solutions. But we have to incentivize companies to develop these solutions and then reward those that succeed. We applaud the initiatives of companies such as Coca-Cola Peninsula Beverages, ABInBev and others, but we need much more.”

The BBC has listed 11 other major international cities that may be faced with a similar water supply crisis.

]]>http://www.riskmanagementmonitor.com/cape-town-water-shortage-approaching-day-zero/feed/0http://www.riskmanagementmonitor.com/cape-town-water-shortage-approaching-day-zero/TSA’s Anti-Terror Trackers Tested at Penn Stationhttp://feedproxy.google.com/~r/RiskManagementMonitor/~3/mhnjZSSeIR4/
http://www.riskmanagementmonitor.com/tsas-anti-terror-trackers-tested-at-penn-station/#respondThu, 01 Mar 2018 18:01:54 +0000http://www.riskmanagementmonitor.com/?p=20210Continue reading →]]>The Transportation Security Administration (TSA) had a presence in New York’s Penn Station this week, as it partnered with Amtrak to test new security technology that can help prevent and detect risks of terrorism and violence.

The TSA set up a passive system known as a stand-off explosive detection unit at the Amtrak concourse to identify individuals carrying/wearing a person-borne improvised explosive device (PBIED), such as a suicide bomb or vest. Such a vest was worn by terror suspect Akayed Ullah, when he attempted to blow himself up in a tunnel connected to the Port Authority in Midtown Manhattan last December.

The system will be tested at Penn Station through the end of this week and operated by Amtrak police officers. TSA spokesperson Lisa Farbstein said that local enforcement agents can be trained on the technology and laptop in one day and that local police would establish protocol if a weapon were to be detected.

According to TSA information, the unit’s main feature is a screening technology that can be used by Amtrak and mass transit agencies to detect potential threats—metallic or non-metallic—by identifying objects that block the naturally-occurring emissions emitted by a person’s body. The unit does not emit any radiation and no anatomical details of a person are displayed.

The use of the detection technology enables a rail or transit agency to help safeguard against terrorist threats in a mass transit environment. The TSA is supplying two models of the equipment for the purposes of the demonstration. One model is mounted on a tripod, the other is contained in a trunk.

The equipment is mobile, which allows agencies to easily relocate it to different stations. Users operate it via a laptop computer in the station. The image that appears on the laptop reveals concealed objects that block the body emissions and indicate the location and size of those objects on a green image of an individual.

Penn Station was the most recent stop in the new technology’s national testing tour. In December 2017, the scanners were used in the Los Angeles 7th Street metro station where more than 86,000 people pass through each weekday; one month earlier they were used by Amtrak in Washington, D.C. They were also used in Secaucus, New Jersey in 2014 as riders made their way to MetLife Stadium for Super Bowl XLVIII.

]]>http://www.riskmanagementmonitor.com/tsas-anti-terror-trackers-tested-at-penn-station/feed/0http://www.riskmanagementmonitor.com/tsas-anti-terror-trackers-tested-at-penn-station/Amtrak Positive About Meeting PTC Deadlinehttp://feedproxy.google.com/~r/RiskManagementMonitor/~3/C2LVfg9WH44/
http://www.riskmanagementmonitor.com/amtrak-positive-about-meeting-ptc-deadline/#respondWed, 28 Feb 2018 14:45:33 +0000http://www.riskmanagementmonitor.com/?p=20201Continue reading →]]>Earlier this month, Amtrak President Richard Anderson told the House railroads subcommittee that his company is on target to complete installation of positive train control (PTC) on the infrastructure it controls and on all of its equipment by the Dec. 31, 2018 federal deadline. He warned, however, that trains without PTC by the deadline could not use Amtrak’s tracks.

“We believe that PTC should ultimately be in place for all Amtrak routes and, as a matter of U.S. policy, PTC should be required for all passenger rail trips in America,” Anderson told the House Subcommittee on Railroads, Pipelines and Hazardous Materials.

PTC is designed to eliminate human error by using four components: GPS satellite data, onboard locomotive equipment, the dispatching office and wayside interface units. The system communicates with the train’s onboard computer, allowing it to audibly warn the engineer and display the train’s safe braking distance based on its speed, length, width and weight, as well as the grade and curvature of the track, according to railroad operator Metrolink. If the engineer does not respond to the warning, the onboard computer will activate the brakes and safely stop the train.

Anderson’s testimony poses a challenge for major transportation providers like NJ Transit, whose trains run on the Northeast Corridor east of the Hudson River tunnels to New York City. Committee members have noted that NJ Transit “hasn’t even started” the process of installing PTC, while the company’s spokeswoman maintains that despite delays attributed to software compatibility, she believes they can meet the deadline. According to a Federal Railroad Administration progress report, 8% of NJ Transit’s locomotives and none of its tracks were updated with PTC as of the end of 2017.

After Congress passed the PTC Enforcement and Implementation Act of 2015 it also authorized the FAST Act, which allocated $199 million in PTC grant funding and specifically prioritized PTC installation projects for Railroad Rehabilitation and Improvement Financing funding. The Association of American Railroads estimates that freight railroads will spend $10.6 billion implementing PTC, with additional hundreds of millions each year to maintain. The American Public Transportation Association has estimated that the commuter and passenger railroads will have to spend nearly $3.6 billion on PTC.

“Without PTC, the system is too vulnerable to single points of failure, many of which are dependent upon the memory of a single human being interacting with a big, complicated system,” Anderson said. “When an engineer loses situational awareness or forgets a rule, we have no systems to assist them and help them prevent that error.”

He also noted that Amtrak is taking additional steps, such as installing inward-facing cameras. “These cameras monitor locomotive and engineer performance and are installed in Amtrak trains along routes in the northeast, midwest, and west and we are actively working to install them on Amtrak trains nationwide. Reviewing the data from these cameras, coupled with the data from our efficiency testing programs, provides us an excellent view of operational issues to be addressed in future training programs.”

Efforts to upgrade train technology has been a nationwide priority. The most recent major derailment occurred on Dec. 18, 2017 when an Amtrak train derailed near Tacoma, Washington, killing three passengers and injuring about 100. That crash was the result of excessive speed in a steep curve, which experts suggested could have been prevented with PTC’s automatic braking technology. Amtrak Train No. 501, on its inaugural run, was traveling 80 miles per hour in an area limited to 30 miles per hour when it derailed on an overpass, sending the train’s 12 coaches and one of its two engines careening onto the highway below.

]]>http://www.riskmanagementmonitor.com/amtrak-positive-about-meeting-ptc-deadline/feed/0http://www.riskmanagementmonitor.com/amtrak-positive-about-meeting-ptc-deadline/Companies Continue to Grapple with Cyberrisk, Study Findshttp://feedproxy.google.com/~r/RiskManagementMonitor/~3/Q3fE3oShsx0/
http://www.riskmanagementmonitor.com/companies-continue-to-grapple-with-cyberrisk-study-finds/#respondMon, 26 Feb 2018 20:34:55 +0000http://www.riskmanagementmonitor.com/?p=20184Continue reading →]]>As technology becomes more critical to company success, the number of cyberattacks has climbed. As a result, cyberrisk has become one of the top risks for companies around the world, according to the Marsh-Microsoft Global Cyber Risk Perception Survey. Almost two-thirds of survey respondents identified cyberrisk as one of their organization’s top-five risk management priorities—almost double the percentage who rated cyber as a top risk in a 2016 study, Marsh said, adding that respondents whose organizations had been successfully attacked were slightly more likely to prioritize cyberrisk than those who had not.

Despite these concerns, however, the study notes that just one in five respondents said they are “highly confident in their organization’s ability to manage and mitigate cyberrisk or respond and recover from an attack.” This was especially the case among corporate directors, who play an important role in protecting their organization from cyber threats. While about 70% of respondents who identified as board members said they ranked cyberrisk as a top-five concern, only 14% said they were “highly confident” in their organization’s ability to respond to an attack.

Board DisconnectWhile organizations have traditionally relied on IT staff to manage cyberrisks, the structure of oversight is evolving in many companies as risks accelerate. Stakeholders from across the enterprise are looking beyond prevention to include risk assessment, mitigation and cyber resilience. Asked about cybersecurity structure, however, 70% of respondents named their IT department as a primary owner and decision-maker of the risk.

This was more often true for smaller companies, as larger organizations tended to spread the responsibility for cyberrisk—from a low of 13% in the smallest organizations (many of which may not have a separate risk management function) to 58% in the largest organizations with more than $5 billion in revenue, the study found.

Ideally, boards should view cyberrisk management as part of their overall perspective on enterprise risk management. In organizations where the board is involved, however, the study found a disconnect:

Corporate directors often appear to either not understand the information on cyberrisk they receive, or to not be receiving it all. For example, 53% of chief information security officers, 47% of chief risk officers, and 38% of chief technology/information officers said they provide reports to board members on cyber investment initiatives. Yet only 18% of board members said they receive such information.

This information gap illustrates a need to develop cyberrisk economic/business models that facilitate shared dialogue including common language among IT, the board, and other corporate departments. This disconnect also reinforces the need for a cross-functional approach to cyber risk governance, according to the study.

]]>http://www.riskmanagementmonitor.com/companies-continue-to-grapple-with-cyberrisk-study-finds/feed/0http://www.riskmanagementmonitor.com/companies-continue-to-grapple-with-cyberrisk-study-finds/2016 Drug Overdose Death Rate 3-Times Higher than in 1999http://feedproxy.google.com/~r/RiskManagementMonitor/~3/G_hepYNS3p0/
http://www.riskmanagementmonitor.com/2016-drug-overdose-death-rate-3-times-higher-than-in-1999/#respondWed, 21 Feb 2018 21:14:32 +0000http://www.riskmanagementmonitor.com/?p=20159Continue reading →]]>Deaths from drug overdose have reached crisis proportions in the United States, with more than 63,600 deaths in 2016—more than three times that of 1999. The majority were males, whose deaths increased from 8.2 in 1999 to 26.2 in 2016; compared to females, whose rate rose from 3.9 in 1999 to 13.4 in 2016, according to the Centers for Disease Control and Prevention (CDC).

Authors of the report noted, “The pattern of drugs involved in drug overdose deaths has changed in recent years. The rate of drug overdose deaths involving synthetic opioids other than methadone (drugs such as fentanyl, fentanyl analogs, and tramadol) doubled in a single year from 3.1 per 100,000 in 2015 to 6.2 in 2016. Additionally, it’s important to note that many drug overdose deaths may involve multiple drugs.”
Of people age 15 and above:

• Rates of drug overdose deaths increased from 1999 to 2016 for all groups studied.

• Rates in 2016 were highest for people between the ages of 25 and 54.

• From 2015 to 2016, the drug overdose death rates for adults age 45-54, 55-64 and 65 and above went up 15%, 17% and 7% respectively, the CDC said.In 2016, 22 states and the District of Columbia had overdose death rates that were statistically higher than the national rate. States with the highest number of overdose deaths were: West Virginia, with 52 per 100,000; Ohio with 39.1; New Hampshire with 39; District of Columbia with 38.8; and Pennsylvania, which had 37.9 deaths per 100,000.

States with the lowest age-adjusted drug overdose rates were: Iowa, which had 10.6 deaths; North Dakota, 10.6; Texas, 10; South Dakota, 8.4; and Nebraska, which had 6.4 deaths.In it’s most recent study, Quest Diagnostics found that workforce use of illicit drugs across the board—including cocaine, marijuana and methamphetamine—has climbed to the highest rate in 12 years.

Overall positivity in urine drug testing among the combined U.S. workforce in 2016 was 4.2%, a 5% relative increase over last year’s rate of 4%—the highest annual positivity rate since 2004 (4.5%), according to an analysis of more than 10 million workforce drug test results.

A year after the spillway collapse at the Oroville Dam, leading to evacuations of almost 200,000 residents and a beat-the-clock patching job to avoid a break in the tallest dam in the United States, new legislation to strengthen inspections of dams awaits approval of California Gov. Jerry Brown.

The bill would require annual inspections for high hazard dams, raise inspection standards and require consultation with independent experts every 10 years, according to ABC News.

As reported by Risk Management Magazine, problems at the Oroville Dam began when the dam’s main sluice was damaged after a winter season of record rain and snowfall, following five years of drought. Torrential rainfall caused water levels to rise so quickly that large amounts needed to be released to prevent the dam from rupturing and sending a wall of water to the communities below.

A recent report of the root-cause of the spillway failure by the Independent Forensic Team (IFC), which includes members of the Association of State Dam Safety Officials and the United States Society of Dams, notes that:

There was no single root cause of the Oroville Dam spillway incident, nor was there a simple chain of events that led to the failure of the service spillway chute slab, the subsequent overtopping of the emergency spillway crest structure, and the necessity of the evacuation order. Rather, the incident was caused by a complex interaction of relatively common physical, human, organizational, and industry factors, starting with the design of the project and continuing until the incident. The physical factors can be placed into two general categories:

The IFC report concludes that all dam owners in the state need to “reassess current procedures” in light of its findings.

According to the IFC:

“The fact that this incident happened to the owner of the tallest dam in the United States, under regulation of a federal agency, with repeated evaluation by reputable outside consultants, in a state with the leading dam safety regulatory program, is a wake-up call for everyone involved in dam safety. Challenging current assumptions on what constitutes ‘best practice’ in our industry is overdue.”

Initial response to the spillway failure included erosion mitigation for both spillways during the incident, sediment removal and installation of temporary transmission lines at a cost of $160 million, According to the DWR. Phase-two includes removal of the original 730 feet of the upper chute, replacing it with structural concrete.

]]>http://www.riskmanagementmonitor.com/new-bill-would-toughen-calif-dam-inspections/feed/0http://www.riskmanagementmonitor.com/new-bill-would-toughen-calif-dam-inspections/Prepare Now for Ransomwarehttp://feedproxy.google.com/~r/RiskManagementMonitor/~3/EGJ2m8_P2oQ/
http://www.riskmanagementmonitor.com/prepare-now-for-ransomware/#respondMon, 12 Feb 2018 14:24:20 +0000http://www.riskmanagementmonitor.com/?p=20128Continue reading →]]>In 2017, a company was hit with ransomware every 40 seconds. Organizations in all industry sectors were subject to ransomware attacks, as these attacks often opportunistically take advantage of security shortcomings. The average ransom demand was more than $1,000.00—greater than three times the average in 2015. What’s more, one in five business that paid ransom never got its data back.

So, how do you protect your business? First, make sure you are insured. While traditional policies provide little, if any, coverage for damage to electronic data—and none for other costs associated with cyber extortion—they are covered by cyber extortion insurance. This is available under many cyber liability policies. Cyber extortion provisions typically cover ransom payments and extortion-related expenses such as costs incurred in negotiating the ransom and restoring or replacing data or software.

But insurance is just one aspect of the protection your business should have. Companies also need to prepare an Incident Response Plan (IRP), that establishes responses to ransomware attacks. An IRP should be a “living, breathing” document that is consistently updated to ensure that its information and procedures are accurate and up-to-date. Typical topics addressed by an IRP are:

The Incident Response Team. The IRP must identify the team in charge of responding to ransomware attacks. This team should include an executive and inside counsel, and should provide back-ups in case first-line members cannot be reached. The IRP should contain 24-7 contact information for all team members, including means of contact that do not rely on the business-provided phones or email that may be affected by the attack.

Additionally, the IRP should identify team members’ specific responsibilities, such as implementing security measures, investigating the attack, communicating with the extortionists, communicating with customers or the public, and notifying insurance carriers and law enforcement.

Detecting an Incident. The IRP should identify steps for employees to take if they suspect or detect a ransomware attack.

Approved Vendors. As you will likely need outside assistance to respond to an attack, your IRP should identify approved vendors such as outside coverage counsel, investigative and cybersecurity firms, and a PR firm to assist with external communications.

Reporting to Law Enforcement. The IRP should define when and how ransomware attacks must be reported to which law enforcement agencies. It should also address what evidence should be collected and preserved, and how. Ideally, these issues should be discussed with the relevant agencies ahead of time, which also helps build a cooperative relationship with them.

Notifying Insurance Carriers. The IRP should identify all insurance policies that could provide coverage for a ransomware attack and detail steps to comply with each policy’s notification requirements. Outside coverage counsel can assist with both identifying relevant policies and provisions, and following notification requirements.

Responding to Extortionists. The IRP must identify who communicates with the extortionists and who decides whether and how to respond to their demands. This should include steps for how to make potentially required electronic currency payments.

Investigating the Incident. The IRP should define who is responsible for investigating a ransomware attack and include a checklist detailing specific response steps. It should also establish procedures to increase the chances of identifying the extortionists, and to detect and address security vulnerabilities.

Documenting the Response. The IRP should set forth steps to document both your response to and your investigation of the attack, including contacts with the extortionists, the decision-making process resulting in a response, and the technical response and investigation, including the preservation of evidence. Such documentation may be required by regulatory agencies or insurers.

Public Relations. To facilitate communications about the attack with customers or the public, the IRP should assign responsibility for doing so and define steps for preparing and releasing such communications.

User Training. End-user training of all employees, including management, is key to preventing ransomware attacks. The IRP needs to contain procedures to ensure that all employees receive such training periodically, as common threats change over time.

Appropriate insurance coverage; an IRP that is consistently updated, including through “post mortem” evaluations following attacks; and up-to-date systems security are critical to prepare your business for—and to the extent possible, protect it from—potential ransomware attacks.